Symantec Enterprise Security Manager IBM DB2 Modules Installation Guide for Windows ... ·...

Symantec™ EnterpriseSecurity Manager IBM DB2Modules Installation Guidefor Windows and UNIX

Version 4.3

Symantec™ Enterprise Security Manager IBM DB2Modules Installation Guide

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Documentation version: 4.3

Legal NoticeCopyright © 2013 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo, ActiveAdmin, BindView, BV-Control, and LiveUpdate aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. andother countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required toprovide attribution to the third party (“Third Party Programs”). Some of the Third Party Programsare available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have under thoseopen source or free software licenses. Please see the Third Party Legal Notice Appendix tothis Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying,distribution, and decompilation/reverse engineering. No part of this document may bereproduced in any form by any means without prior written authorization of SymantecCorporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERSAREHELD TOBE LEGALLY INVALID. SYMANTECCORPORATIONSHALLNOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THEINFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. Technical Support’sprimary role is to respond to specific queries about product features and functionality.The Technical Support group also creates content for our online Knowledge Base.The Technical Support group works collaboratively with the other functional areaswithin Symantec to answer your questions in a timely fashion. For example, theTechnical Support group works with Product Engineering and Symantec SecurityResponse to provide alerting services and virus definition updates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the right amountof service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our website atthe following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be atthe computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information



■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support ............................................................................................... 4

Chapter 1 Installing ESM DB2 Modules on Windows ....................... 9

Before you install ........................................................................... 9Minimum account privileges ............................................................ 10System requirements .................................................................... 10Installing ESM DB2 module for IBM DB2 database .............................. 13About Content Separation .............................................................. 15

About the content package folder structure ................................. 16Installing the security content on the ESM managers ..................... 16Modifying the importcontent.conf file ........................................... 18About the importcontent utility ................................................... 18Using the importcontent utility ................................................... 19Examples of using the importcontent utility .................................. 20

Silent installation of ESM DB2 module .............................................. 20

Chapter 2 Configuring ESM DB2 Modules on Windows ................. 22

Configure ESM DB2 module .......................................................... 22Edit the configuration records .................................................... 23

Silent configuration of ESM DB2 module ........................................... 23Configure IBM DB2 Database by using ESM DB2 Discovery

module ................................................................................. 24Configuring a new IBM DB2 database .............................................. 24Configuring IBM DB2 database with generic credentials ....................... 25Reusing generic credentials of an IBM DB2 database .......................... 26Removing deleted databases .......................................................... 26

Chapter 3 Installing ESM DB2 Modules on UNIX ............................. 28

Before you install .......................................................................... 28Minimum account privileges ............................................................ 29System requirements .................................................................... 29Installing ESM DB2 module for IBM DB2 database .............................. 30About Content Separation .............................................................. 35

About the content package folder structure ................................. 36

Contents

Installing the security content on the ESM managers ..................... 36Modifying the importcontent.conf file ........................................... 38

Silent installation of ESM DB2 module .............................................. 38

Chapter 4 Configuring ESM DB2 Modules on UNIX ........................ 40

Silent configuration of ESMDB2 Audit Configuration and the ESMDB2Fix Packs modules ................................................................. 40

Edit configuration records of ESM DB2 Audit Configuration and Fixpacks modules ...................................................................... 41

Silent configuration of ESM DB2 module ........................................... 42Edit configuration records of ESM DB2 module ................................... 42Configure IBM DB2 database and instance by using ESM DB2

Discovery module ................................................................... 43Configuring a new IBM DB2 database ........................................ 44Removing deleted databases .................................................... 44Configuring a new IBM DB2 instance .......................................... 45Removing deleted instances ..................................................... 46

Chapter 5 Uninstalling the ESM DB2 Application module ............ 47

Uninstall ESM DB2 Application module ............................................. 47Running the uninstallation program ............................................ 48Uninstallation logs .................................................................. 49

Silent uninstallation of ESM DB2 module ........................................... 49

Chapter 6 Logging DB2 Modules on Windows ................................. 51

Log functionality on ESM DB2 modules ............................................. 51Log levels of the messages ...................................................... 51Creating the log level configuration file ........................................ 53Parameters of the log level configuration file ................................ 53Log file ................................................................................. 56Format of the log file ............................................................... 56Backup of logs ....................................................................... 56

Chapter 7 Logging DB2 modules on UNIX ........................................ 58

Log functionality on ESM DB2 modules ............................................. 58Log levels of the messages ...................................................... 58Creating the log configuration file ............................................... 60Parameters of the configuration file ............................................ 60Log file ................................................................................. 61Format of the log file ............................................................... 62Backup of logs ....................................................................... 62

8Contents

Installing ESM DB2 Moduleson Windows

This chapter includes the following topics:

■ Before you install

■ Minimum account privileges

■ System requirements

■ Installing ESM DB2 module for IBM DB2 database

■ About Content Separation

■ Silent installation of ESM DB2 module

Before you installTo install the ESM DB2 module, you need the following:

At least one computer must have a CD-ROMdrive on your network.

Product disc access

On each computer, youmust have super userprivileges of an account where you want toinstall the ESM DB2 modules.

Account privileges

You must verify that the Symantec ESMEnterprise Console can connect to theSymantec ESM manager.

Connection to the manager

1Chapter

You must ensure that the Symantec ESMagent must run and must be registered to atleast one Symantec ESM manager.

Agent and manager

In order to use the DB2 module, IBM DB2client and Symantec ESM DB2 applicationmodule should be installed on the agentcomputer.

IBM DB2 client

In order to use the host-based DB2 modulechecks, the IBM DB2 client and SymantecESM DB2 application module must beinstalled on the computer where the DB2server is located.

IBM DB2 client and server

Minimum account privilegesIn order to use the ESM DB2 Remote module to perform the ESM security checkson IBM DB2 server, the login accounts require the minimum privileges to executethe following commands:

■ Select syscat.dbauth

■ Get database manager configuration

■ Get database configuration for <db>

Note: No specific account privileges are required for the ESM DB2 AuditConfiguration and the ESM DB2 Fix Packs modules to work on Windows.

Warning: If you use less than the required privileges for the accounts that the ESMDB2 Application module uses for reporting, then a few checks may not functioncorrectly. As a result the module may not report on a few conditions that you wantto be reported on.

System requirementsTable 1-1 lists the supported IBM DB2 versions and operating systems that theSymantec ESM DB2 application module for windows can be installed on.

10Installing ESM DB2 Modules on WindowsMinimum account privileges

Table 1-1 Supported DB2 versions and operating systems

Supported IBMDB2 versions

Supported OSversions

ArchitectureSupportedoperatingsystems

9.5, 9.7, and 10.1Windows Server2008

x86Windows (32-bit)


x86Windows (32-bit)


x64Windows (64-bit)


x64Windows (64-bit)

9.5, 9.7, and 10.1Windows 2008server R2

x64Windows (64-bit)

9.5, 9.7, and 10.1RHEL ES, ASx86RHEL ES, AS(32-bit, 64-bit)

9.5, 9.7, and 10.1AIX 6.1ppc64AIX (32-bit,64-bit)

9.5, 9.7, and 10.1Solaris 2.9, 2.10sparcSolaris (64-bit)

Note: The Symantec ESM Application modules for DB2 are supported only whenrunning checks against the Enterprise Server Edition for the IBM DB2 databases.

Table 1-2 lists the supported IBM DB2 versions and operating systems on whichthe ESM DB2 module can report remotely.

Note: For reporting remotely on DB2 instances, the DB2 client must be installedand the remote database should be cataloged on the client machine.


Supported IBMDB2versions


ArchitectureSupportedoperating systems

9.5, and 9.74x86Red Hat EnterpriseLinux ES (32-bit)

11Installing ESM DB2 Modules on WindowsSystem requirements

Table 1-2 Supported DB2 versions and operating systems (continued)

Supported IBMDB2versions


ArchitectureSupportedoperating systems

9.5, 9.7, and 10.15 and 6x86Red Hat EnterpriseLinux ES (32-bit)


9.54x64Red Hat EnterpriseLinux ES (64-bit)

9.54x86Red Hat EnterpriseLinux AS (32-bit)

9.5, 9.7, and 10.15.3 and 6.1PPC64AIX (64-bit)

9.5, 9.7, and 10.19 and 10SPARCSun Solaris

9.5, 9.7, and 10.1WindowsServer 2003x86, Itanium, and x64Windows (32-bit,64-bit, and IA64-bit)

9.5, 9.7, and 10.1WindowsServer 2008x86, Itanium, and x64Windows (32-bit,64-bit, and IA64-bit)

9.5, 9.7, and 10.1Windows 2008 serverR2

x64Windows (64-bit)

To install the Symantec ESMApplication module for IBMDB2 Databases, you musthave the following free disk space:

Table 1-3 Disk space requirements

Disk spaceAgent operating system

15 MBWindows 2008 (x86)


30 MBWindows 2008 R2 (x64)



12Installing ESM DB2 Modules on WindowsSystem requirements

Installing ESM DB2 module for IBM DB2 databaseYou can install the ESM DB2 module on the ESM agent computer by using theesmdb2tpi.exe.

The installation program does the following:

■ Extracts and installs the module executables.

■ Registers the module binaries to the ESM manager.

Note:You can skip this step if you have already registered the package for otheragents that are installed on the same platform.

Running the installation program and registering the files

1 From the product disc, run \\Content_Update\App_Modules\DB2\<module

version>\Modules\<architecture>\esmdb2tpi.exe.

2 Choose one of the following option:

To display the contents of the package.Option 1

To install the module.Option 2

3 The Do you wish to register the agent to the manager?message appears.Do one of the following:

■ Type a Y, if the files are not registered with the manager.

■ Type an N, the files have already been registered and skip to Enablingsecurity checking for your IBM DB2 database.

Note: You must register the template and the .m files once for the agents thatuse the same manager on the same operating system.

4 Enter the host name or IP address of the ESM manager that the agent isregistered to.

5 Enter the ESM login ID to connect to the ESM manager.

6 Enter the password that is used to log on to the ESM manager.

7 Enter the network protocol that is used to contact the ESM manager.

8 Enter the port that is used to contact the ESM Manager. The default port is5600.

13Installing ESM DB2 Modules on WindowsInstalling ESM DB2 module for IBM DB2 database

9 Enter the name of the agent that is currently registered with the ESMmanager.

Usually, it is the name of the computer that the agent is installed on.

10 The Is this information correct? message appears. Do one of the following:

■ Type a Y, the agent continues with the registration to the ESM manager.

■ Type an N, the setup prompts to re-enter the details of the new manager.

When the extraction is complete, you are prompted to add configuration recordsto enable the ESM security checking for your IBM DB2 databases.

11 TheDo you want to continue and add the configuration records to enableESM security checking for your DB2 database? [yes] appears. Do one ofthe following:

■ Type a Y, to configure the ESM DB2 modules on the agent computer.The installation program reads the existing configuration records anddisplays them.

■ Type an N, the program installation continues without configuration.

When the extraction is complete, you are prompted to add configuration recordsto enable ESM security checking for your IBM DB2 instances.

Enabling security checking for your IBM DB2 database

1 The installation displays a list of auto-detected DB2 databases. Choose oneof the following:

To manually create a new configuration record for an undetecteddatabase.

Option 1

To modify or remove an existing configuration record.Option 2

To exit the configuration.Option 3

2 To add a configuration record for the database, do the following:

■ Either enter a DB2 Alias\Database name.Press Enter if you are satisfied the detected alias.

■ Enter the DB2 Node\Instance name.

■ Enter the DB2 database login.

■ Enter the password that is used to log on to the DB2 database.

■ Re-enter the password.

The ESMDB2module searches for the installation path. If the module is unableto find the installation path, the module reports a Setup is unable to find the

14Installing ESM DB2 Modules on WindowsInstalling ESM DB2 module for IBM DB2 database

Installation Path. Please enter DB2 Installation path. message. Re-enterthe correct Installation path.


■ Type a Y to continue to add a configuration record for this database andenable ESM security check.

■ Type an N to re-enter the connection information.

4 The Do you want to validate the connection with the database? messageappears. Do one of the following:

■ Type a Y to connect to a database and validate the connection.

■ Type an N to add the configuration records directly in the configuration filewithout validating the connection.

5 If the validation fails, theDo youwant to add this record to the configurationfile message appears. Do one of the following:

■ Type Y to add the record in the configuration file without validating theconfiguration records.

■ Type N, the program lists all the existing configuration records specified inthe DB2module.dat file and prompts you to choose one of the options.

6 After you have created configuration records for each database, the programlists all of the configuration records. Choose one of the following options:

To manually create a new configuration record for an undetecteddatabase.

Option 1

To modify or remove an existing configuration record.Option 2


Note: The encryption that is used to store the database connection credentials is256-bit AES encryption algorithm.

About Content SeparationUntil now, the content that was included in an Application module was first installedon the agents and later through the registration process it was pushed from theESM agents to the ESM manager.

From this release onwards, two separate content packages are included. Thepackage that contains the module binaries is to be installed on the ESM agent and

15Installing ESM DB2 Modules on WindowsAbout Content Separation

the other package that contains the security content such as configuration (.m) files,word files, template files, properties files, and report content files (RDL) is to beinstalled on the ESM managers. A new folder named, Content is created on theESM manager that contains platform-specific data, which the importcontent utilityimports.

Note: You are required to run the esmdb2contenttpi.exe installer on the newmanager. For the consecutive releases, perform a LiveUpdate to get the latestsecurity content.

About the content package folder structureThe content package folder on the ESM manager contains content files of theApplications modules.

Table 1-4 shows the file types and folder paths of the Application modules.

Table 1-4 File types and folder paths

Folder pathFile typeContent

#esm/content/<AppModuleName>/<platform>/config/.properties filesApplicationmodules

#esm/content/<AppModuleName>/<platform>/register/Security module(.m) files

#esm/content/<AppModuleName>/<platform>/template/Template files

#esm/content/words/Word filesCommon

#esm/content/ble/<SU_version>/<language>/Report contentfile(UpdatePackage.rdl)

Common

Installing the security content on the ESM managersYou can install the security content package on the ESM manager by using theesmdb2contenttpi.exe installer, which is applicable for Windows.

The installation program extracts and installs configuration (.m) files, template files,word files, .properties files, and report content files (RDL).


To install the security content on the ESM managers

1 Download and copy the esmdb2contenttpi.exe installer from the SecurityResponse Web site to the desired location.

2 Choose one of the following options:



Note: Before importing the content data for the Application modules, you mustensure t hat content data for a Security Update (SU) is present on the managerdatabase. Certain features of the Applicationmodules may not function correctlyif the Se curity Update (SU) content data is not already imported to the managerdatabase.

3 The Do you want to import the templates or the .m files? [no] messageappears. Do one of the following:

■ Type a Y, if you want to import the templates or the .m files.

Note:

Only an ESM administrator or any ESM user that have the permissions tocreate policies, create templates, and perform remote installation or upgradecan install the content on the ESM manager. The ESM superuser can alsoinstall content on the ESM manager as this user has all the permissions.However Register only users cannot perform this task as they do not havethe specified permissions.

The program displays a message to include or exclude the platforms thatyou want to import. See “Modifying the importcontent.conf file” on page 18.

■ Type an N, if you do not want to import the templates or the .m files.You can skip this step if you want to import the content later. You can importthe content by running the importcontent utility.

4 Enter the ESM manager that the agent is registered to.

Usually, it is the name or the IP of the computer that the manager is installedon.

5 Enter the ESM access name (logon name) for the manager.

6 Enter the ESM password that is used to log on to the ESM manager.


http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm




■ Type a Y, the program continues with the installation.


9 The Do you want to import the report content file <UpdatePackage.rdl>?[yes] message appears. Do the following:

■ Type a Y, if you want to import the report content file.

■ Type an N, if you do not want to import the report content file.

When the installation completes, you are prompted to exit.

Modifying the importcontent.conf fileThe platforms that you specify in the importcontent.conf file are the platforms thatare available to the ESM manager when using the importcontent utility. Theimportcontent utility only imports the platforms on the ESM manager that are notprefixed with a hash (#).

To modify the importcontent.conf file

1 Go to C:\Program Files\Symantec\Enterprise SecurityManager\ESM\config\importcontent.conf.

2 Remove # before the platform that you want to include.

3 Save the file.

4 Go back to esmdb2contenttpi.exe installer and press <return> to continue withthe installation process.

About the importcontent utilityImportcontent utility is a command line utility, used to import the ESM content - IBMDB2 Application modules information to the specified manager. The utility displaysthe content version on the GUI or on the CLI. The utility is located in the bin folderof the installation directory, along with other ESM Manager binaries inplatform-specific folders.

For example,

C:\Program Files\Symantec\Enterprise Security Manager\ESM\bin\w3s-ix86\importcontent.exe


Note: If the importcontent.exe is not found on the manager, then Content TPIpackage deploys the importcontent.exe in the bin folder.

Using the importcontent utilityYou can use the importcontent utility on Windows and Solaris platforms. The utilityprovides the option of importing security module (.m) files, property (.properties)files, template files, word (.wrd) files, and report content (UpdatePackage.rdl) filesfor ESM IBM DB2 Application modules. You can use the -f option to force importcontent related information at a later stage.

Pre-requisites for using the importcontent utility:

■ You must be in the role of ESM administrator.

■ You must have ESM manager installed on the computer on which you arerunning the importcontent utility.

To use the importcontent utility

1 Install the ESM Manager and Agent using the ESM Suite Installer.

2 At the Windows command prompt, navigate to the platform-specific bin folder,where the importcontent utility is located.

3 Type the following command:

importcontent [-RLrnvfW] [-m manager] [-U user] [-P password] [-p

port] [-L app_module_name1, app_module_name2,...] [-a |

module_config_file1 [module_config_file2... ]]

The switch options that can be used with the importcontent utility are listed below.

Manager name - the local manager name is used by default.-m

User name - the ESM user name is used by default.-U

Password - the ESM user account password.-P

TCP port number - the port number is 5600 by default.-p

Import and register all security module (.m) files with themanager.

-a

Import property files (.properties)-R

Import all templates-T

Import report content file (UpdatePackage.rdl)-r

Import word files-W


Synchronize policies-n

Force the import of security module information-f

Write C include file for security module compilation

Note: -h, and -M options can be used only with the -a option.

-h

Write VMS macro file for security module compilation

Note: -h, and -M options can be used only with the -a option.

-M

Set verbose mode, log each action as it is performed.-v

Log the program finish.-F

Examples of using the importcontent utilityThe following examples are provided for using the importcontent utility:

■ To access the help menu for the importcontent utility, type the followingcommand:importcontent

■ To import DB2 Applcation modules type the following command:importcontent -L DB2 -U <user1> -P <pwd123> -m <managerXYZ>

Note:The utility requires the application module names to be similar to the foldernames created in the <install dir>\ content directory.

■ To import templates for DB2, type the following command:importcontent -T -L DB2 -U <user1> -P <pwd123> -m <managerXYZ>

■ To synchronize policies, type the following command:importcontent -nv -U <user1> -P <pwd123> -m <managerXYZ> -U <user1>

-P <pwd123>

■ To register specific .m files with the manager, type the following command:importcontent -U <user1> -P <pwd123> -m <managerXYZ>

C:\Symantec\ESM\account.m D:\ESM\acctinfo.m E:\abc.m xyz.m

Silent installation of ESM DB2 moduleYou can use the esmdb2tpi.exe to install the ESM DB2 module silently.

20Installing ESM DB2 Modules on WindowsSilent installation of ESM DB2 module

esmdb2tpi.exe -it -m <Manager Name> -U <Username> -p <5600> -P

<password> -g <Agent Name> -e

Table 1-5 lists the command-line options for installing the ESM DB2 module silently

Table 1-5 Options to install the ESM DB2 module silently

DescriptionOption

Install this tune-up/third-party package.-i

Display the description and contents of this tune-up/third-party package.-d

Specify the ESM manager login ID.-U

Don't launch the module configuration after installation.-e

Specify the ESM manager password.-P

Specify the TCP port to connect to the ESM manager.-p

Specify the ESM manager name.-m

Connect to the ESM manager by using TCP.-t

Connect to the ESM manager by using IPX.-x

Specify the ESM agent name to use for registration.-g

Do not prompt for re-registration.-K

No return is required to exit the tune-up package.-n

Do not update the report content file on the manager.-N

Update the report content file on the manager.-Y

Specify the filename that will contain the encrypted generic credentialrecord

-gif

Specify the filename that should be created with the encrypted genericcredentials record.

-gof

21Installing ESM DB2 Modules on WindowsSilent installation of ESM DB2 module

Configuring ESM DB2Modules on Windows


■ Configure ESM DB2 module

■ Silent configuration of ESM DB2 module

■ Configure IBM DB2 Database by using ESM DB2 Discovery module

■ Configuring a new IBM DB2 database

■ Configuring IBM DB2 database with generic credentials

■ Reusing generic credentials of an IBM DB2 database

■ Removing deleted databases

Configure ESM DB2 moduleAfter installing the ESM DB2 module, you can edit the configuration records usingthe DB2Setup.exe. A configuration record is created for each database alias whenyou enable security checking during installation.

Note:OnWindows, you do not have to configure the ESMDB2module for the ESMDB2 Audit Configuration and Fix Pack modules to work with the local DB2 database.

2Chapter

Edit the configuration recordsYou can add, modify, or remove the configuration records for the IBMDB2 databasesby using the DB2Setup.exe program. By default, DB2Setup.exe is located in the\\<InstallDir>\ESM\bin\<platform>\directory.

You can run the DB2Setup.exe with the following options:

Table 2-1 lists the options for configuring the ESM DB2 modules

Table 2-1 Options for configuring the ESM DB2 modules

CommandTask

DB2Setup -hDisplay Help

DB2Setup -cCreate configuration records for detected IBMDB2 databases.

DB2Setup -aAdd new configuration records for undetectedIBM DB2 databases.

DB2Setup -mModify or remove existing IBM DB2 databaseconfiguration records.

DB2Setup -lList existing DB2 database configuration records.

DB2Setup -if <file name> -of <file name>Setup reads from the input file other than defaultfile\\InstallDirectory\esm\config\DB2Module.dat.This option works in collaboration with -of option.

DB2Setup -of <file name>Specify a new output file for the IBM DB2database configuration records. The default fileis\\InstallDirectory\esm\config\DB2Module.dat.

Silent configuration of ESM DB2 moduleOnce the application module is installed, you can use the DB2Setup.exe to addconfiguration records to the ESM DB2 module silently.

DB2Setup.exe -q -D <Database/Alias name> -I <Instance/Node name> -U

<username> -P <password> -X "<InstallPath>" [-V]

Use the following option to configure the ESM DB2 module silently:

Table 2-2 lists the options for configuring the ESM DB2 module silently

23Configuring ESM DB2 Modules on WindowsSilent configuration of ESM DB2 module

Table 2-2 Options to configure the ESM DB2 module silently

DescriptionOptions

Silently configure the DB2 module.-q

Specify the database name.-D

Specify the instance name.-I

Specify the username.-U

Specify the password.-P

Specify the installation path.-X

Specify to validate the connection to the DB2 database with the giveninstance name, user name, and password.

-V

Configure IBM DB2 Database by using ESM DB2Discovery module

The ESM DB2 Discovery module includes four checks that let you automate thedetection and configuration of new databases that are not yet configured on thelocal ESM agent computers. Moreover, the checks also detect the deleted databasesand let you remove the deleted databases from the \\Program

Files\Symantec\ESM\config\DB2Module.dat configuration file.

Configuring a new IBM DB2 databaseTo report on the IBM DB2 database you must first configure the IBM DB2 databaseon an ESM agent computer.

Configuring a new IBM DB2 database manually

1 Run the ESM DB2 Discovery module on the ESM agent computers that haveIBM DB2 installed.

The module lists all the new databases that were not previously configured.

2 Select multiple databases and do one of the following:

■ Right-click and select Correction option.The Correction option configures the databases with custom credentials.

■ Right-click and select Snapshot Update option.

24Configuring ESM DB2 Modules on WindowsConfigure IBM DB2 Database by using ESM DB2 Discovery module

The Snapshot Update option configures the database with genericcredentials. Before you select the Snapshot Update option, you should firstconfigure the generic credentials.See “Configuring IBM DB2 database with generic credentials” on page 25.

Configuring a new IBM DB2 database automatically

1 Enable the check Automatically add new database.

The check uses the generic credentials to configure the newly discovereddatabase entry in the \\Program

Files\Symantec\ESM\config\DB2Module.dat configuration file automatically.

If the connection attempt fails then the module returns a correctable message.

2 To use the Correctable option, do the following:

■ Right-click on the message

■ Choose Correction option

■ Enter custom credentialsThe DB2 Discovery module uses these credentials and attempts to connectand adds the configuration record in the configuration file after eachsuccessful connection.

Configuring IBM DB2 database with genericcredentials

You can configure a new IBM DB2 database on an ESM agent computer by usinga generic credential. The generic credential option helps you to configure a commoncredential for all the IBM DB2 databases on an ESM agent computer.

Specifying generic credentials

1 On the Command Prompt, type DB2SETUP.exe -G.

2 Enter the Generic Login ID: User name.

3 Enter a password for the generic login. Reconfirm the password.

4 Press Enter.

The generic credentials are configured in the \\Program

Files\Symantec\ESM\config\DB2Module.dat.

25Configuring ESM DB2 Modules on WindowsConfiguring IBM DB2 database with generic credentials

Reusing generic credentials of an IBM DB2 databaseIf you want to specify a common generic credential on multiple IBM DB2 servers itis not necessary to use DB2SETUP.exe -G option on every IBMDB2 server. Instead,you can use -gif and -gof options to specify a generic credential. The specifiedgeneric credential is then stored in an encrypted format in a file that can be reusedon every IBM DB2 server. You should first specify the generic credentials and thenreuse the generic credentials.

Specifying generic credentials

1 On the Command Prompt, type DB2SETUP.exe -gof <filepath>

For example: DB2Setup.exe -gof C:\pass.dat.

2 Enter the Generic Login ID: User name

3 Enter a password for the generic login. Reconfirm the password.

4 Press Enter.

The pass.dat file is created with the encrypted generic credentials that are specifiedin Step 1.

Reusing generic credentials

1 Copy the pass.dat file to each IBMDB2 ESM agent computer where you wantto import the generic credentials.

2 On the Command Prompt, type DB2SETUP-gif <filepath>

For example: DB2Setup.exe -gof C:\pass.dat.

The generic credentials are imported into the \\Program

Files\Symantec\ESM\config\DB2Module.dat file.

Removing deleted databasesAlthough, youmay have deleted an IBMDB2 database, the configuration informationstill exists in the ESM module. As a result, the module when executed reports thedeleted IBM DB2 databases as deleted databases.

Removing deleted databases manually

1 Run the Discovery module on the target ESM agent computers. The modulelists all the deleted databases that were configured earlier.

2 Select multiple databases, if appropriate, right-click and select SnapshotUpdate option.

The Snapshot Update option deletes the configuration information of such databases.

26Configuring ESM DB2 Modules on WindowsReusing generic credentials of an IBM DB2 database

Removing deleted databases automatically

◆ Enable the check Automatically remove deleted databases.

The module automatically deletes the corresponding database records fromthe \\Program Files\Symantec\ESM\config\DB2Module.dat configurationfile.

27Configuring ESM DB2 Modules on WindowsRemoving deleted databases

Installing ESM DB2 Moduleson UNIX


■ Before you install

■ Minimum account privileges

■ System requirements

■ Installing ESM DB2 module for IBM DB2 database

■ About Content Separation

■ Silent installation of ESM DB2 module

Before you installTo install the ESM DB2 module, you need the following:

At least one computer must have a CD-ROMdrive on your network.

Product disc access

On each computer, youmust have super userprivileges of an account where you want toinstall the ESM DB2 modules.

Account privileges

You must verify that the Symantec ESMEnterprise Console can connect to theSymantec ESM manager.

Connection to the manager

3Chapter

You must ensure that the Symantec ESMagent must run and must be registered to atleast one Symantec ESM manager.

Agent and manager

You must ensure that Symantec ESM DB2module is installed for DB2 Host-basedmodules, client, and server.

IBM DB2 client and server

Note: The Symantec ESM Modules for IBM DB2 Databases supports 9.5, 9.7 and10.1 database versions.

Minimum account privilegesFor the ESMDB2 Remote module to perform the ESM security checks on IBM DB2server, the login accounts require the minimum privileges to execute the followingcommands:

■ Select syscat.dbauth

■ Get database manager configuration

■ Get database configuration for <db>

For the ESM DB2 Audit Configuration module, the login account that you specifyduring configuration must have the following authority:

■ sysadm

Warning: If you use less than the required privileges for the accounts that the ESMDB2 Application module uses for reporting, then a few checks may not functioncorrectly. As a result the module may not report on a few conditions that you wantto be reported on.

System requirementsTable 3-1 lists the IBM versions and the operating systems that support the ESMApplication modules for DB2.

29Installing ESM DB2 Modules on UNIXMinimum account privileges


Supported IBM DB2versions


ArchitectureSupportedoperating system

9.5, and 9.74x86Red Hat EnterpriseLinux ES (32-bit)



9.54x86Red Hat EnterpriseLinux AS (32-bit)

9.5, 9.7, and 10.15.3 and 6.1PPC64AIX (64-bit)

9.5, 9.7, and 10.19 and 10SPARCSun Solaris

Note: The Symantec ESM Application modules for DB2 are supported only on theEnterprise Server Edition for the IBM DB2 databases.

Table 3-2 lists the disk space requirements for Symantec ESM DB2 modules forIBM DB2 databases.

Table 3-2 Disk space requirements

Disk spaceAgent operating system

30 MBSun Solaris SPARC

30 MBRHEL (x86)

65 MBAIX (PPC64)

Installing ESM DB2 module for IBM DB2 databaseYou can install the ESM DB2 module on the ESM agent computer by using theesmdb2.tpi.

The installation program does the following:

■ Extracts and installs the module executables.

■ Registers the module binaries to the ESM manager.

30Installing ESM DB2 Modules on UNIXInstalling ESM DB2 module for IBM DB2 database

Note:You can skip this step if you have already registered the package for otheragents that are installed on the same platform.

To run the installation program and register the files

1 From the product disc, run/DATABASES/DB2/Modules/<architecture>/esmdb2.tpi

2 Choose one of the following option:



3 The Do you wish to register the agent to the manager?message appears.Do one of the following:

■ Type a Y, if the files are not registered with the manager, type Y.

■ Type an N, if the files have already been registered, type N and skip to Toenable security checking for your IBM DB2 databases and instances.

Note: You must register the template and the .m files once for the agentsthat use the same manager on the same operating system.


Usually, it is the name of the computer that the manager is installed on.

5 The messageWould you like to validate the existence of instance? [yes]appears.

■ Type a Y, to validate the existence of an instance.

■ Type an N, to proceed without validating the existence of an instance.



8 Enter the network protocol that is used to contact the ESM manager.

9 Enter the network port that is used to contact the ESM Manager.

The default port is 5600.

10 Enter the name of the agent that is currently registered to the ESM manager.






When the extraction is complete, you are prompted to add configuration recordsto enable the ESM security checking for your IBM database.

12 The Do you want to continue and add configuration records to enableESM security checking for your DB2 database? [yes] message appears.Do one of the following:

■ Type a Y, to configure the ESM DB2 modules on the agent computer.

■ The installation program reads the existing configuration records anddisplays them.

■ Type an N, the program installation continues without configuration.

When the extraction is complete, you are prompted to add configuration recordsto enable ESM security checking for your IBM DB2 instances.

If you have typed a Y the installation program displays any already existingconfiguration records. At this point you are prompted to add configuration recordsfor your various IBM DB2 instances to your module’s configuration file. For moreinformation, See “To enable security checking for your IBM DB2 databases andinstances” on page 32. By adding the DB2 instance records, all DB2 module checkswill be available except those in the DB2 Remote, DB2 Audit Configuration, andDB2 Fix Pack modules. Further configuration is required for these three modules,as explained further in this chapter .

To enable security checking for your IBM DB2 databases and instances

1 The installation displays a list of auto-detected DB2 databases. Choose oneof the following:

To manually create a new configurationrecord for an undetected database.

Option 1

To modify or remove an existingconfiguration record.

Option 2


2 To add a configuration record for the database, do the following:

■ Enter the DB2 Alias\Database name. Press Enter if you are satisfied withthe detected alias.

■ Enter the Node name that is remotely configured.


■ Enter the DB2 database login.


■ Type a Y to continue to add this configuration record and to add any more.

■ Type an N to re-enter the connection information.

4 The Do you want to validate the connection with the database? messageappears. Do one of the following:

■ Type a Y to validate the connection to the newly configured database.

■ Type an N, the program lists all the existing configuration records and youare prompted to add more if required.

5 If the validation fails, theDo youwant to add this record to the configurationfile message appears. Do one of the following:

■ Type a Y to add the record in the configuration file without validating theconfiguration records.

■ Type an N, the program lists all the configuration records and promptingyou to choose one of the options.

6 After you have created configuration records for each database, the programlists all of the configuration records. Choose one of the following options:

To manually create a new configurationrecord for an undetected database.

Option 1


Option 2


Configuring ESM DB2 module

1 You are prompted to configure the ESM DB2 module. Type a Y, if you want tocontinue with the configuration of the ESM DB2 module.

Note: Create a configuration record for only the DB2 instances that you wantto perform checks against.

2 Do one of the following:

■ Enter the IBM DB2 database alias.

■ Enter the IBM DB2 instance name.


■ Enter the User ID to log on to the IBM DB2 database.

Note: The ESM module is enhanced to configure the DB2 database withoutthe password. Now the module prompts for the database name, the instancename, and the user name.

3 The Is this information correct? message appears. Do one the following:

■ Type a Y to save the configuration record and continue with the nextdatabase.

■ Type an N to begin again with the same instance.

Note: The user name is encrypted when it is displayed for your approval.

4 Repeat steps the first three steps to configure another database.

After you have created a DB2 module configuration record for your chosendatabases, the program lists all of the configuration records. Choose one ofthe following options:

To create a new configuration recorddatabase.

Option 1


Option 2

To finish the installation and exit theprogram.

Option 3

Note: The encryption that is used to store the credentials is 256-bit AES encryptionalgorithm.

Configuring ESM DB2 Audit Configuration and ESM DB2 Fix Packs modules

1 You are prompted to configure the ESM DB2 Audit Configuration and the ESMDB2 Fix Packs module. Do one of the following:

■ Type a Y to continue the ESM DB2 Audit Configuration and ESM DB2 FixPacks modules configuration.

■ Type an N to end the installation without configuration.

2 Do the following:


■ Enter the IBM DB2 instance name.

■ Enter the user with SYSADM authority.


■ Type a Y to save the configuration record and continue with the nextinstance.

■ Type an N to begin again with the same instance.

4 Repeat steps the first three steps for each IBM DB2 instance.

5 After you have created configuration records for each instance, the programlists all of the configuration records. Choose one of the following options:

To create a new configuration record foran instance.

Option 1


Option 2

To finish the installation and exit theprogram.

Option 3

About Content SeparationUntil now, the content that was included in an Application module was first installedon the agents and later through the registration process it was pushed from theESM agents to the ESM manager.

From this release onwards, two separate content packages are included. Thepackage that contains the module binaries is to be installed on the ESM agent andthe other package that contains the security content such as configuration (.m) files,word files, template files, properties files, and report content files (RDL) is to beinstalled on the ESM managers. A new folder named, Content is created on theESM manager that contains platform-specific data, which the importcontent utilityimports.

Note: You are required to run the esmdb2content.tpi installer on the new manager.For the consecutive releases, perform a LiveUpdate to get the latest security content.

35Installing ESM DB2 Modules on UNIXAbout Content Separation

About the content package folder structureThe content package folder on the ESM manager contains content files of theApplications modules.

Table 3-3 shows the file types and folder paths of the Application modules.

Table 3-3 File types and folder paths

Folder pathFile typeContent

#esm/content/<AppModuleName>/<platform>/config/.properties filesApplicationmodules

#esm/content/<AppModuleName>/<platform>/register/Security module(.m) files

#esm/content/<AppModuleName>/<platform>/template/Template files

#esm/content/words/Word filesCommon

#esm/content/ble/<SU_version>/<language>/Report contentfile(UpdatePackage.rdl)

Common

Installing the security content on the ESM managersYou can install the security content package on the ESM manager by using theesmdb2content.tpi installer, which is applicable for UNIX.

The installation program extracts and installs configuration (.m) files, template files,word files, .properties files, and report content files (RDL).

To install the security content on the ESM managers

1 Download and copy the esmdb2content.tpi installer from the SecurityResponse Web site to the desired location.

2 Choose one of the following options:



Note: Before importing the content data for the Application modules, you mustensure that content data for a Security Update (SU) is present on the managerdatabase. Certain features of the Applicationmodules may not function correctlyif the Se curity Update (SU) content data is not already imported to the managerdatabase.




3 The Do you want to import the templates or the .m files? [no] messageappears. Do one of the following:

■ Type a Y, if you want to import the templates or the .m files.

Note:

Only an ESM administrator or any ESM user that have the permissions tocreate policies, create templates, and perform remote installation or upgradecan install the content on the ESM manager. The ESM superuser can alsoinstall content on the ESM manager as this user has all the permissions.However Register only users cannot perform this task as they do not havethe specified permissions.

The program displays a message to include or exclude the platforms thatyou want to import. See “Modifying the importcontent.conf file” on page 38.

■ Type an N, if you do not want to import the templates or the .m files.You can skip this step if you want to import the content later. You can importthe content by running the importcontent utility.


Usually, it is the name or the IP of the computer that the manager is installedon.





■ Type a Y, the program continues with the installation.


9 The Do you want to import the report content file <UpdatePackage.rdl>?[yes] message appears. Do the following:

■ Type a Y, if you want to import the report content file.

■ Type an N, if you do not want to import the report content file.

When the installation completes, you are prompted to exit.


Modifying the importcontent.conf fileThe platforms that you specify in the importcontent.conf file are the platforms thatare available to the ESM manager when using the importcontent utility. Theimportcontent utility only imports the platforms on the ESM manager that are notprefixed with a hash (#).

To modify the importcontent.conf file

1 Go to C:\Program Files\Symantec\Enterprise SecurityManager\ESM\config\importcontent.conf.

2 Remove # before the platform that you want to include.

Note:As, the UNIX folder contains common content for all UNIX sub platforms,a semi-colon (;) separates these sub-platforms from UNIX. For example:lnx-x86;unix.

3 Save the file.

4 Go back to esmdb2contenttpi.exe installer and press <return> to continuewith the installation process.

Silent installation of ESM DB2 moduleYou can use the esmdb2.tpi to install the ESM DB2 module silently.

esmdb2.tpi -it -m <Manager Name> -U <Username> -p <5600> -P <password>- g<Agent Name> -e

Table 3-4 lists the command-line options for installing the ESM DB2 module silently

Table 3-4 Options to install the ESM DB2 module silently

OptionTask

-iInstall this tune-up/third-party package.

-dDisplay the description and contents of this tune-up/third-party package.

-USpecify the ESM manager login name.

-eDo not execute the before and after executables (installation withoutconfiguration).

-pSpecify the TCP port to use.

-PSpecify the ESM manager password.

38Installing ESM DB2 Modules on UNIXSilent installation of ESM DB2 module

Table 3-4 Options to install the ESM DB2 module silently (continued)

OptionTask

-mSpecify the ESM manager name.

-tConnect to the ESM manager by using TCP.

-gSpecify the ESM agent name for registration.

-KDo not prompt for and do the re-registration of the agents.

-YUpdate the report content file on the manager.

39Installing ESM DB2 Modules on UNIXSilent installation of ESM DB2 module

Configuring ESM DB2Modules on UNIX


■ Silent configuration of ESM DB2 Audit Configuration and the ESM DB2 FixPacks modules

■ Edit configuration records of ESM DB2 Audit Configuration and Fix packsmodules

■ Silent configuration of ESM DB2 module

■ Edit configuration records of ESM DB2 module

■ Configure IBMDB2 database and instance by using ESMDB2Discovery module

Silent configuration of ESM DB2 Audit Configurationand the ESM DB2 Fix Packs modules

You can use the db2setup utility to configure the ESM DB2 Audit Configuration andthe ESM DB2 Fix Packs modules silently.

Use the following option to configure the ESM DB2 module silently for the DB2Audit Configuration and Fix Packs modules:

Table 4-1 lists the options for configuring the ESM DB2 module for the AuditConfiguration and the Fix Packs modules silently.

4Chapter

Table 4-1 Options to configure the ESM DB2 module for Audit Configurationand Fix Packs modules silently

OptionTask

-q -HSilently configure the DB2 Audit Configuration module and the DB2Fix Packs modules.

-NSpecify the host instance name.

-ASpecify the user that has SYSADM authority.

-VSpecify to validate the connection to the DB2 database with the giveninstance name and user name.

For example,

db2setup -q -H -N <instance name> -A <username> -V

Edit configuration records of ESM DB2 AuditConfiguration and Fix packs modules

After installing the ESM DB2 Audit Configuration and Fix packs modules you canadd, modify, or remove the configuration records for the IBMDB2 database instancesby using the db2setup utility program. A configuration record is created for eachIBMDB2 instance in the DB2ModulePath.dat file when you enable security checkingduring installation. By default, db2setup utility is located in the/<InstallDir>/ESM/bin/<platform>/ directory.

Table 4-2 list the editing options to configure records for the ESM DB2 AuditConfiguration and the ESM DB2 Fix Packs modules

Table 4-2 Edit configuration records for the ESM DB2 Audit Configuration andthe ESM DB2 Fix Packs modules

CommandTask

DB2Setup –H -cAdd a new configuration record for DB2 database.

Warning: This option deletes the existing configuration records.

DB2Setup –H -aAdd a new configuration record for DB2 database.

DB2Setup –H -mModify the existing DB2 instance configuration records.

DB2Setup –H -lList the existing DB2 instance configuration records.

41Configuring ESM DB2 Modules on UNIXEdit configuration records of ESM DB2 Audit Configuration and Fix packs modules

Silent configuration of ESM DB2 moduleYou can use the db2setup utility to configure the ESM DB2 module silently.

Use the following option to configure the ESM DB2 module silently:

Table 4-3 lists the options for configuring the ESM DB2 module silently

Table 4-3 Options to configure the ESM DB2 module silently

OptionTask

-qSilently configure the DB2 module.

-DSpecify the database name.

-ISpecify the instance name.

-USpecify the username.

-VSpecify to validate the connection to the DB2 database with the giveninstance name and user name.

Note: The ESM module is enhanced to configure the DB2 database without apassword. The module no longer requires the –P option. db2setup -q –D

<Database name> -I <Instance name> -U <User name>

Edit configuration records of ESM DB2 moduleAfter installing the ESM DB2 module you can add, modify, or remove theconfiguration records for the IBM DB2 database instances by using the db2setuputility program. A configuration record is created for each database in theDB2module.dat file when you enable security checking during installation

By default, db2setup utility is located in the /<InstallDir>/ESM/bin/<platform>/directory.

Run db2setup utility on the ESM DB2 module with the following options:

Table 4-4 lists the editing configuration records.

Table 4-4 Edit configuration records for the ESM DB2 module

CommandTask

DB2Setup -hDisplay Help

DB2Setup -cCreate configuration records for the detected IBM DB2 databases.

42Configuring ESM DB2 Modules on UNIXSilent configuration of ESM DB2 module

Table 4-4 Edit configuration records for the ESM DB2 module (continued)

CommandTask

DB2Setup -aAdd new configuration records for the undetected IBM DB2databases.

DB2Setup -mModify or remove existing IBM DB2 database configuration records.

DB2Setup -lList the existing IBM DB2 database configuration records.

Note: The ESM module is enhanced to configure the DB2 database without apassword. Now the module prompts for the database name, the instance name,and the user name.

Configure IBM DB2 database and instance by usingESM DB2 Discovery module

The ESM DB2 Discovery module includes eight checks that let you automate thedetection and configuration of new databases and instances that are not yetconfigured on the local ESM agent computers. The checks also detect the deleteddatabases and instances and let you remove the deleted databases and instancesfrom the configuration file.

The following checks in the ESMDB2 Discovery module update the DB2Module.datfile that the ESM DB2 modules use:

■ Detect New Database

■ Detect Deleted Database

■ Automatically Add New Database

■ Automatically Remove Deleted Database

See “Configuring a new IBM DB2 database” on page 44.

The following checks in the ESM DB2 Discovery module update theDB2ModulePath.dat file that the ESM DB2 Audit Configuration and ESM Fix Packsmodules use:

■ Detect New Instance

■ Detect Deleted Instance

■ Automatically Add New Instance

■ Automatically Remove Deleted Instance

43Configuring ESM DB2 Modules on UNIXConfigure IBM DB2 database and instance by using ESM DB2 Discovery module

See “Configuring a new IBM DB2 instance” on page 45.

For more information on the checks in the ESM DB2 Discovery module, see theSymantec™ Enterprise Security Manager IBM DB2 Modules User Guide.

Configuring a new IBM DB2 databaseTo report on a new IBMDB2 database you should first create a configuration recordfor the IBM DB2 database on an ESM agent computer that already has the DB2application module installed.

To configure a new IBM DB2 database manually

1 Run the Discovery module on the ESM agent computers that have IBM DB2installed.

The module lists all the new databases that were not previously configured.

2 Select the databases, right-click, and then select Correction option.

The Correction option configures the databases with the user name.

To configure a new IBM DB2 database automatically

1 Enable the check Automatically add new database.

The check uses the user name that is specified in the User Name text box toconfigure the newly discovered database entry in the configuration file/esm/config/DB2Module.dat.

If the connection attempt fails then the module returns a correctable message.



■ Choose correction option

■ Enter the user name

The ESM DB2 Discovery module uses the user name and attempts to connectto the database. After each successful connection, the ESM DB2 Discoverymodule adds a configuration record in the configuration file.

Removing deleted databasesAlthough, youmay have deleted an IBMDB2 database, the configuration informationstill exists in the ESM DB2 configuration file /esm/config/DB2Module.dat. As aresult, themodule when executed reports the deleted IBMDB2 databases as deleteddatabases.


To remove deleted databases manually

1 Run the Discovery module on the target ESM agent computers. The modulelists all the deleted databases that were configured earlier.

2 Select the databases, right-click and select Snapshot Update option.

The Snapshot Update option deletes the configuration information of such databases.

To remove the deleted databases automatically

◆ Enable the check Automatically remove deleted databases.

The module automatically deletes the corresponding database records fromthe configuration file /esm/config/DB2Module.dat.

Configuring a new IBM DB2 instanceTo report on the IBM DB2 instance you should first configure the IBM DB2 instanceon an ESM agent computer.

To configure a new IBM DB2 instance manually

1 Run the Discovery module on the ESM agent computers that have IBM DB2installed.

2 The module lists all the new instances that were not previously configured.

3 Select the instances, right-click, and select Correction option.

The Correction option configures the instances with the user name.

To configure a new IBM DB2 instance automatically

1 Enable the check Automatically add new instance.

The check uses the user name that is specified in the User Name text box toautomatically configure the newly discovered instance entry in the configurationfile /esm/config/DB2ModulePath.dat.

If ESM DB2 discovery module fails to add the configuration record then themodule returns a correctable message.



■ Choose Correction option

■ Enter the user nameThe DB2 Discovery module uses the user name and attempts to connectand adds the configuration record in the configuration file after eachsuccessful connection.


Removing deleted instancesAlthough, you may have deleted an IBMDB2 instance, the configuration informationstill exists in the ESMDB2 configuration file. As a result, the module when executedreports the deleted IBM DB2 instances as deleted instances.

To remove deleted instances manually

1 Run the Discovery module on the target ESM agent computers. The modulelists all the deleted instances that were configured earlier.

2 Select the instances, right-click and select Snapshot Update option.

The Snapshot Update option deletes the configuration information of such instances.

To remove the deleted instances automatically

◆ Enable the check Automatically remove deleted instances.

The module automatically deletes the corresponding instance records fromthe configuration file /esm/config/DB2ModulePath.dat.


Uninstalling the ESM DB2Application module


■ Uninstall ESM DB2 Application module

■ Silent uninstallation of ESM DB2 module

Uninstall ESM DB2 Application moduleYou can uninstall all the components of the ESM DB2 Application module that areinstalled on the ESM agent computer and unregister the module from the manager.You can uninstall the ESM DB2 Application module using the uninstaller program.

The DB2uninstall executable uninstalls the following components:

■ Application executables

■ Configuration files

■ Environment configuration files

■ Configuration file with server records

■ Snapshot files (Windows)

■ DB2 Application module version file

■ Registry entry of DB2 Application module (Windows)

■ Application-specific log file

■ Manifest entries of the DB2 Application module

■ ESM DB2 Application module entry in the agentapp.dat file

5Chapter

Running the uninstallation programYou can uninstall the DB2 Application modules on the ESM agent computer byusing the DB2uninstall executable.

To uninstall the DB2 Application module

1 On Windows, at the command prompt, type cd <path> to open the directorythat corresponds to vendor\bin\operating system\DB2uninstall.exe.

On UNIX, at the command prompt, type cd <path> to open the directory thatcorresponds to vendor/bin/operating system/DB2uninstall.

The program first checks for the version of the installed register binary. Theregister binary that is required to uninstall the ESM DB2 Application Modulemust be of version 10.0.285.10011 or later on Windows and 10.0.285.10003or later on UNIX. If the program does not find the required version, it reportsan error and aborts the uninstallation process.

2 The This will uninstall the application module permanently. Do you wantto continue? [yes] message appears. Do one of the following:

■ Type a Y, if you want to continue with the uninstallation.

■ Type an N, if you want to exit.

3 TheDo youwant to register the agent to themanager after uninstallation?[yes] message appears. Do one of the following:

■ Type a Y, if you want to register the agent to the manager.The program informs the manager about the uninstallation of the DB2Application module from the agent computer that is registered to it.

■ Type an N, if you do not want to register the agent to the manager.


Usually, it is the name of the computer that the manager is installed on.

5 Enter the name of the agent as it is currently registered to the ESM manager.




8 Re-enter the password.

9 Enter the port that is used to contact the ESM Manager.

The default port is 5600.


48Uninstalling the ESM DB2 Application moduleUninstall ESM DB2 Application module



Note: The uninstaller program validates the manager name with the managername that is present in the manager.dat file. If the manager name does notmatch, the program reports a message, Specified manager is not found inmanager.dat file. Skipping re-registration for <manager name>.

11 TheWould you like to add registration information of another manager?[no] message appears. Do one of the following:

■ Type a Y, the agent continues with the registration of another manager.

■ Type an N, the agent is successfully registered to the manager.

Note: If the uninstallation fails, then ESM rolls-back the uninstallation action andbrings back the agent to its original state.

Uninstallation logsThe uninstaller creates a log file for you to know about the changes that theuninstaller program performed. The log file, ESM_DB2_Uninstall.log is stored inthe system folder. The specified folder is located at C:\ProgramFiles\Symantec\Enterprise Security Manager\ESM\system\<Host_Name> onWindows and <esm_install_dir>/ESM/system/<Host_Name> on UNIX. Theuninstaller program automatically creates the log file and captures the uninstallationevents and errors in it.

Silent uninstallation of ESM DB2 moduleYou can use the DB2uninstall.exe to uninstall the ESM DB2 module silently, byusing the following command:

db2uninstall -S -m <manager> -N <agent> [-p <port>] [-mfile <mgrfile>]

-U <user> -P <password> or

db2uninstall -S -F <mgrfile> or

db2uninstall -S

Table 5-1 lists the command-line options for uninstalling the ESM DB2 modulesilently

49Uninstalling the ESM DB2 Application moduleSilent uninstallation of ESM DB2 module

Table 5-1 Options to uninstall the ESM DB2 module silently

DescriptionOption

Enters the interactive mode and invokes theuninstall operation.

-F

Enters the interactive mode and creates adata file with details of the ESMmanager anduser credentials.

-mfile

Invokes the uninstallation in a silent mode.

Note: If -S is specified without any otheroption then the re-registration is notperformed. The uninstall program enters theinteractive mode and invokes the uninstalloperation.

-S

Specify the ESM manager name.-m

Specify the agent name as registered withthe ESM manager.

-N

Specify the TCP port to to connect to the ESMmanager.

-p

Specify the ESM manager login ID.-U

Specify the ESM manager password.-P

50Uninstalling the ESM DB2 Application moduleSilent uninstallation of ESM DB2 module

Logging DB2 Modules onWindows


■ Log functionality on ESM DB2 modules

Log functionality on ESM DB2 modulesThe logging feature in the ESM DB2 modules enables specific modules to loginformation such as errors and exceptions generated at runtime. This feature isenabled for the Audit configuration, Fix pack, Remote, System, Configuration,Privileges, and Discovery modules. Detailed logging is also enabled for theDB2Setup.exe that is used for DB2 configuration.

Log levels of the messagesThe log level specifies the type and criticality of a message. You can manuallycreate a configuration file named esmlog.conf and specify the log level messagesthat you want to be logged.

ESM checks the log level that you set in the configuration file and stores only thequalifying messages in the log file.

See “Creating the log level configuration file” on page 53.

You can specify the following log levels:

Disable logging for the module.

If ESMNOLOG is specified in the log level configurationfile, even critical failure messages are not logged.

ESMNOLOG

6Chapter

All critical failures are logged.

Note: ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION is the default log level and you neednot explicitly specify it in the configuration file.

ESMCRITICALFAILURES

All errors are logged.

The following are some examples of the errors:

■ Template file not found■ Configuration file not found

ESMERRORS

All exceptions are logged.ESMEXCEPTIONS

All warnings are logged.ESMWARNINGS

All information messages are logged.

The information that is gathered during a policy run isalso logged at this level.

Note:When you enable the ESMINFORMATION level,the performance of the module may be affected since allthe information messages are logged.

ESMINFORMATION

All debug information is logged.ESMTRACE

All time-consuming operations are logged.ESMPERFMANCETIMING

All audit information is logged.

This level covers the data modification operations suchas Correction and Update.

ESMAUDIT

Includes all log levels except ESMNOLOG.ESMMAXIMUM

Specify the log level in the LogLevel parameter of the configuration file. For example,to log the messages for the discovery module that are related to critical failures,specify the log level as follows:

[db2discovery_LogLevel] = ESMCRITICALFAILURES

You can also specify multiple log levels by separating them with a pipe (|) characteras follows:

[db2discovery_LogLevel] = ESMCRITICALFAILURES|ESMPERFMANCETIMING

You can use log levels for specific operations as follows:

ESMCRITICALFAILURES and ESMERRORSFor regular policy runs

52Logging DB2 Modules on WindowsLog functionality on ESM DB2 modules

ESMCRITICALFAILURES, ESMERRORS, ESMTRACE,and ESMINFORMATION

To generate detailed logs forpolicy failure

Creating the log level configuration fileTo manually change the log level for a module or modules, create a configurationfile named esmlog.conf in the <esm_install_dir> \config folder and specify thevalues that ESM uses to store the logs of a module.

Creating the configuration file

1 Change to the <esm_install_dir> \config folder.

2 Create a new text file and specify the parameters and their values.

3 Save the text file as esmlog.conf.

See Table 6-1 on page 53.

The following is an example of the entries in the configuration file:

[MaxFileSize] = 1024

[NoOfBackupFile] = 20

[LogFileDirectory] = <esm_install_dir>\system\agentname\logs

[db2discovery_LogLevel] = ESMINFORMATION|ESMTRACE

[db2discovery_LogLevel] = ESMMAXIMUM

Note:A default log level configuration file is not installed with the ESMDB2modules.You must manually create the file and specify the parameters in it.

Note: If the esmlog.conf file already exists, you can append the DB2 module loglevel information to the existing file.

Parameters of the log level configuration fileTable 6-1 lists the parameters that you need to specify in the configuration file.

Table 6-1 Configuration file parameters

Default valueRange of valuesDescriptionParameter name

1 MB1 MB to 1024 MB (1GB)

Specify the maximumfile size for the log filein MB

[MaxFileSize]


Table 6-1 Configuration file parameters (continued)


10 to 20Specify the number ofbackup files of logsthat can be stored permodule.

For example, if thevalue ofNOOFBACKUPFILEis 3, then ESM storesa maximum of 3backup files for themodule.

[NoOfBackupFile]

The %systemroot%\temp directoryis used on theWindows operatingsystems.

N/ASpecify the absolutepath to store the logfile and backup logfiles.

[LogFileDirectory]


Table 6-1 Configuration file parameters (continued)


ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION

N/ASpecify the log levelalong with the shortname of the module.

Following are theshort names for DB2modules:

■ db2module forDB2 Remotemodule

■ db2auditconfig forDB2 Audit andConfigurationmodule

■ db2discovery forDB2 Discoverymodule

■ db2system forDB2 systemmodule

■ db2privileges forDB2 Privilegesmodule

■ db2patch for DB2Fix Pack module

■ db2config for DB2Configurationmodule

For example, to logall error messages forthe ESM DB2Discovery module,specify the following:

[db2discovery_LogLevel]=ESMERRORS

[<module>_LogLevel]

If the esmlog.conf file is not present then no log file is written.


Log fileThe ESM application now stores the log file of the modules in the directory that theuser specifies. If the directory that the user specifies does not exist, then the modulefirst creates the directory and then stores the log files in it.

The log file has the following format:

<module_name>.log

The <module_name> is the short name of the module. For example, the log file ofthe ESM DB2 Discovery module is named db2discovery.log. The backup file namefor ESM DB2 Discovery module is named db2discovery.log_1.bak and so on.

Note: During the process of logging, ESM locks the log file to store the logginginformation. If the log file is open at that time, the information to be written to thelogs may be lost.

Format of the log fileA log file contains the following fields:

Serial number of the log file entry

The serial number is displayed in hexadecimal format.

The serial number is reset in the next policy run on the module.

Serial Number

Thread identifier of the process that generated the messageThread ID

Name of the source file that caused the message to be generatedSource File Name

Line number in the source file from where the message wasgenerated

Line Number

Date on which the log was createdDate

Time at which the log was createdTime

The actual message that was generated along with the log levelof that message.

Message

Backup of logsWhen the log file reaches a specified size limit, ESM backs up the log file. This sizelimit is configurable and you can specify it in the MaxFileSize parameter of theconfiguration file.


If the log file reaches the MaxFileSize value, ESM creates a backup of the log filedepending on the No of BackupFile value that is specified in the configuration file.For example, if the No of BackupFile value is 0, ESM overwrites the existing logfile, if any, for the module.


Logging DB2 modules onUNIX


■ Log functionality on ESM DB2 modules

Log functionality on ESM DB2 modulesThe logging feature in the ESM DB2 modules enables the ESM to log theinformation, such as errors and exceptions that a module generates at the runtime.This feature is enabled for the Audit configuration, Fix pack, Remote, System,Configuration, Privileges, and Discovery modules. Detailed logging is also enabledfor the DB2Setup.exe that is used for DB2 configuration.

Log levels of the messagesThe log level specifies the type and criticality of a message. You can manuallycreate a configuration file and specify the log level messages that you want to belogged.

ESM checks the log level that you set in the configuration file and stores only thequalifying messages in the log file.

See “Creating the log configuration file” on page 60.

You can specify the following log levels:

Disable logging for the moduleESMNOLOG

7Chapter

All critical failures are logged.

ESM always logs all critical failuresirrespective of the log level that you specifyin the configuration file. However, ifESMNOLOG is specified in the configurationfile, ESM does not log the critical failures.

ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION is the default log level andyou need not explicitly specify it in theconfiguration file.

ESMCRITICALFAILURES

All errors are logged.

The following are some examples of theerrors:

■ Template file not found■ Configuration file not found

ESMERRORS

All exceptions are logged.ESMEXCEPTIONS

All warnings are logged.ESMWARNINGS

All information messages are logged.

The information that is gathered during apolicy run is also logged at this level.

Note:When you enable theESMINFORMATION level, the performanceof the module may be affected because allthe information messages get logged.

ESMINFORMATION

All debug information is logged.ESMTRACE

All time-consuming operations are logged.ESMPERFMANCETIMING

All audit information is logged.

This level covers the data modificationoperations such as Correction and Update.

ESMAUDIT

Includes all log levels except ESMNOLOG.ESMMAXIMUM

You specify the log level in the LogLevel parameter of the configuration file. Forexample, to log the messages that are related to critical failures for the DB2Discovery module, specify the log level as follows:

[db2discovery_LogLevel] = ESMCRITICALFAILURES

59Logging DB2 modules on UNIXLog functionality on ESM DB2 modules

You can also specify multiple log levels by separating them with a pipe (|) characteras follows:

[db2discovery_LogLevel] = ESMCRITICALFAILURES|ESMPERFMANCETIMING

You can use log levels for specific operations as follows:

ESMCRITICALFAILURESandESMERRORSFor regular policy runs

ESMCRITICALFAILURES, ESMERRORS,ESMTRACE, and ESMINFORMATION

To generate detailed logs for policy failure

Creating the log configuration fileYou can create a configuration file named esmlog.conf in the <esm_install_dir>/config folder and specify the values that ESM uses to store the logs of a module.

To create the configuration file

1 Change to the <esm_install_dir>/config folder.

2 Create a new text file and specify the parameters and their values.

3 Save the text file as esmlog.conf.

See “Parameters of the configuration file” on page 60.

The following is an example of the entries in the configuration file:

[MaxFileSize] = 1024

[NoOfBackupFile] = 20

[LogFileDirectory] = <esm_install_dir>/system/agentname/logs

[db2discovery_LogLevel] = ESMINFORMATION|ESMTRACE

[db2discovery_LogLevel] = ESMMAXIMUM

Note:No default configuration file is shipped with the ESM DB2 modules. You needto manually create the file and specify the parameters in it. To specify a differentmodule to log messages for, substitute the binary name of the module fordb2discovery in the specified example.

Parameters of the configuration fileTable 7-1 lists the parameters that you need to specify in the configuration file.


Table 7-1 Configuration file parameters


1 MB1 MB to 1024 MB (1GB)

Specify the maximumfile size for the log filein MB

[MaxFileSize]

10 to 20Specify the number ofbackup files of thelogs that can bestored per module.

For example, if thevalue ofNOOFBACKUPFILEis 3, then ESM storesa maximum of 3backup files for themodule.

[NoOfBackupFile]

The directory/esm/system/<hostname>/tmp/

N/ASpecify the absolutepath to store the logfile and backup logfiles.

[LogFileDirectory]

ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION

N/ASpecify the log levelalong with the shortname of the module.

For example, to logall error messages forthe ESM DB2Discovery module,specify the following:

[db2discovery_LogLevel]=ESMERRORS

[<module>_LogLevel]

If the configuration file esmlog.conf is not present then the logging functionalityappears to be disabled and no logs are generated.

Log fileThe ESM application now stores the log file of the modules in the directory that theuser specifies in the esmlog.conf file. If the directory that the user specifies doesnot exist, then the module first creates the directory and then stores the log files init.


The log file has the following format:

<module_name>.log

The <module_name> is the short name of the module. For example, the log file ofthe ESM DB2 Discover module is named db2discovery.log. The backup file namefor ESM DB2 Discovery module is named db2discovery.log_1.bak and so on.

Note: During the process of logging, ESM locks the log file to store the logginginformation. If the log file is open at that time, the information about the logs maybe lost.

Format of the log fileA log file contains the following fields:

Serial number of the log file entry

The serial number is displayed inhexadecimal format.

The serial number is reset in the next policyrun on the module.

Serial Number

Thread identifier of the process thatgenerated the message

Thread ID

Name of the source file that generates themessage.

Source File Name

Line number in the source file from where themessage generates

Line Number

Date on which the log was createdDate

Time at which the log was createdTime

The actual message that was generatedalong with the log level of that message.

Message

Backup of logsWhen the log file reaches a specified size limit, ESM backs up the log file. This sizelimit is configurable and you can specify it in the MaxFileSize parameter of theconfiguration file.

If the log file reaches the MaxFileSize value, ESM creates a backup of the log filedepending on the No of BackupFile value that is specified in configuration file. For


example, if the No of BackupFile value is 0, ESM overwrites the existing log file, ifany, for the module.


Date post:	29-Mar-2020
Category:	Documents
Upload:	others
View:	10 times
Download:	0 times

Symantec Enterprise Security Manager IBM DB2 Modules Installation Guide for Windows ... ·...

Documents